Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
Warren Parad <wparad@rhosys.ch> Fri, 08 October 2021 23:05 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C476F3A0CB9 for <oauth@ietfa.amsl.com>; Fri, 8 Oct 2021 16:05:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6pbUH95pfjBq for <oauth@ietfa.amsl.com>; Fri, 8 Oct 2021 16:05:37 -0700 (PDT)
Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69F953A0CBB for <oauth@ietf.org>; Fri, 8 Oct 2021 16:05:37 -0700 (PDT)
Received: by mail-yb1-xb31.google.com with SMTP id v195so24417729ybb.0 for <oauth@ietf.org>; Fri, 08 Oct 2021 16:05:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=F5bqKn6TnPeRqZvVMk9MXxgF3QMjt1uMpzSmSBnXe14=; b=fa2VqUz/WAWyVYem6bQZUW37/y0dBgIz1+7nrXwWwMHJA3aMfhcgqglGgOPqgLaRHC 7zlKsZBT8xpBXksBfOS5BzHy9eCZc5BNDtkWQIV0vw3/mYsCeML4W89BKqftsPBfScG7 UHjkynNQN9WBnkxBxzUy13eug2RFJ9RfVI/mVk3JPtSjuclA2ForbvOS/ioZb8ua5qr0 M0xCmRZm42C7gUELqa/i81aUl0ik1UQPC+1HOouFeOL8DasqSlVqoRniLvrIC1SZMT5f 9xv8dgaqSHWXXtYxOkF5H0ft4HdgkH3nyBBrSIaG7DLZ9NVcfDsD33tGYcTHCdE8I0J8 fOpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=F5bqKn6TnPeRqZvVMk9MXxgF3QMjt1uMpzSmSBnXe14=; b=brpNGB2VBShe3KOJBhR4YrxGs1TQiwVSEKZaD/3gLa0VZ6LyUYzFrRp2dl8uzs0KeP OUGvruKRQrftlgExES6vedOpWniRJiYqeXDP4aYXB54AkU+FmK/cJ09rfu5ZYldHzRvv jsk90G4aVtCVjM6j/sipOLEs6tDGzsdBi/vn09N6NVm10Vsym6Y54sJ6ZNyMPaQVkKIQ 7mCComXzmwAPJ+bFqls0j7pjJ0SbcmxxT5O4TNge/J1CnP89+etJX1W5c95uyu76EFi3 jwG8RyLMheaN+FpdPUfrptUX933wxokmUdYu6/QxB3QsbrZc3/r5x1KcrxXKLiJWPKOd OrSw==
X-Gm-Message-State: AOAM532BzD+v8yZlcYuhyEjE5vAqGzsDe02RFnwPNMcXx1VKX80I2Oth 24jXURQkV4czumsOxhTzURbR4dK1QoNdZYdoZ7CDzZlMPmTs
X-Google-Smtp-Source: ABdhPJyb/r8gxXq2V9/2YWZLa0goFmHxOsDEKa51Cf0ZdVD1mGd9jWRbRkfweoBgwpFL8/VQn43O226XGBpsQj+m6mI=
X-Received: by 2002:a25:1545:: with SMTP id 66mr6470587ybv.521.1633734334960; Fri, 08 Oct 2021 16:05:34 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com> <CAGBSGjqasD=eYnsMm7gZB2g+=C4abZoVi7FH4e7EFfgwKdjS8w@mail.gmail.com> <CAD9ie-uH9xGL9orTFxEd=tfhO6Q-S3sDHrQDtU7h0_dr6YeLOg@mail.gmail.com> <EE56CE99-5592-40AF-9BA5-7F3886ED315A@mit.edu> <CAD9ie-t9i1sVLhVhJp-mWSchV_x0b3no7i4qNXvcaQS+8OqCVA@mail.gmail.com> <CAGBSGjrgVbGWwFq6LDX_2Vhv7yQkwtEEjy36GpLj-bN+MtcX-w@mail.gmail.com> <CAD9ie-vJiwBSV71z4_2TJJO7A52mV763XvXmEPsEFgOMFVOwyQ@mail.gmail.com> <D445073E-D495-4250-9773-9AEEB09C01E0@amazon.com> <CAD9ie-t5EBZLtHmmbDQu9iq-d87gf07X5Fes_ZqFts5hDCOOuw@mail.gmail.com> <A312C403-3341-4B29-AEB3-B547E9A802E7@amazon.com> <CAD9ie-sW537PEzavzv1v6JSOFSfLa7iRVPAXD-miuEY8GMmDeQ@mail.gmail.com>
In-Reply-To: <CAD9ie-sW537PEzavzv1v6JSOFSfLa7iRVPAXD-miuEY8GMmDeQ@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Sat, 09 Oct 2021 01:05:23 +0200
Message-ID: <CAJot-L1fio+-1sSn6Z88ianq04RoHJ3M5yxe0Bzu2Cs-CWCPkg@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: "Richard Backman, Annabelle" <richanna@amazon.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b16d1d05cddf6a16"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RzcuaPXnV6w8j9Y8CG4138xDQoM>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2021 23:05:42 -0000
We can definitely start without that general purpose security mechanism being proven, by using other proven mechanisms to solve the same problem. There's no reason we need to depend on nor utilize HTTPSig for solving the problems hoped to be achieved with this draft. But we do need to stipulate concretely what should be solved by the draft and then we can discuss what's the right approach. If we are saying DPoP is the right approach to solve it, we have a draft already (we would need to discuss whether an alternative is the right approach or reusing that one/making adjustments). Perhaps DPoP isn't the right approach, and maybe it is, but we need to start at the beginning. Right now it just seems we are haphazardly throwing out an implementation for a draft standard for the sake of implementing that standard. "There are people that want to use it" isn't productive, what is productive is describing the core problem that they are facing, the why, and attacking it problem-first, not solution-first. It also sounds like we want to justify that work with an authored RFC from the OAuth WG. Okay, we can push that work, but it needs to be focused on core problems and solutions revolving in the OAuth space, and not done in a way for the sole purpose of justifying the work another draft is setting up. I don't think any one is doubting the benefits that could be gained, but we should be doubting if this is the right way from an OAuth perspective and the direction we want to go. We should enumerate those, work on refining what is in scope and going from there. The problem with the current draft, is that it doesn't give us an adequate starting point, sure we can push everything to the WG to solve every open point, but I for one, would like to see at least a partial draft that attempts to outline the problem and include a solution which supports a majority of use cases, without being a very niche collaboration with the existing signature draft. Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>. On Fri, Oct 8, 2021 at 11:07 PM Dick Hardt <dick.hardt@gmail.com> wrote: > > inline > > On Fri, Oct 8, 2021 at 2:00 PM Richard Backman, Annabelle < > richanna@amazon.com> wrote: > >> IE, if the success of HTTP Signing is tied to the OAuth WG adopting the >> draft, then Mike's arguments about the WG already doing this work is valid. >> >> >> It's not the success of HTTP Message Signatures that concerns me here; >> that draft will reach RFC regardless of what the OAuth WG does. >> > > Maybe, maybe not. And then having adoption and proving that all the other > concerns raised on the list such as canonicalization challenges are moot. > > >> But I and others would like to use Message Signatures with OAuth 2.0, and >> would like to have some confidence that there will be a standard, >> interoperable way to do that. >> >> There are other, non-OAuth 2.0 use cases for HTTP Message Signatures. I >> don't see the rationale behind waiting for implementations for completely >> unrelated use cases, or by parties that aren't using OAuth 2.0 for >> authorization. How are they relevant? >> > > The proposal is to build upon a general purpose security mechanism. I > would like to see that general purpose security mechanism proven before > building upon it. > > /Dick > ᐧ > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Call for Adoption - OAuth Proof of Pos… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Denis
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Neil Madden
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Ash Narayanan
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Mike Jones
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Domingos Creado
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Mike Jones
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… David Waite
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: Call for A… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… David Waite
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… David Waite
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: Call for A… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Dick Hardt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Dick Hardt